ICO Deputy Commissioner (Operations) James Dipple-Johnstone – speech to the CBI Cyber Security: Business Insight Conference
Thanks for the welcome and the great words. It is my – rather daunting – honour to not only follow Ciaran, but also to live up to the speech given in this same slot at last year’s conference … by my boss.
I would like to use my time today to reflect on Elizabeth Denham’s speech from last year and try to cover the changes that have occurred since then. But first I would like to quote Elizabeth directly, where she stated, effectively, why I am here today.
“Data security and data privacy have always been linked. Privacy depends on security. No obligation to provide privacy will be meaningful if the data to be protected are accessed or stolen by unauthorized third parties. As a result, all modern data protection principles include an obligation to protect information and security and that has been recognized in every significant codification of data protection, including the EU General Data Protection Regulation and the new Data Protection Act.”
The past year
You will I hope pardon me for stating the obvious, when I say that a lot has happened since last September.
The GDPR and the Data Protection Act are of course now law, and we have had just over three months to assess their immediate impact and prepare for our new powers.
We launched our draft Regulatory Action Policy in May, which sets out the objectives that guide us as we use those new regulatory powers. We ran a public consultation on the policy, after which we made appropriate amendments and submitted it to Parliament. We hope that the policy will be approved in the near future when Parliament returns from the conference break.
Our investigation into data analytics for political purposes has been thrust into the centre of political discourse, both here and in the US. There is hopefully much learning in our reports about the role and challenges of analytics in the modern democratic process.
And, coming back to the current topic, we reaffirmed our commitment to make technology the backbone of our organisation when we launched our first Technology Strategy in the spring. That has since been backed up by further action on our part, including:
- Improving our skill base, by introducing new training and actively recruiting the technology resource we need for the future.
- Increasing our response to data breach reports and our investigation capability
- And appointing Simon McDougall as our new Executive Director for Technology Policy and Innovation. Simon, who is known to many of you, who will lead our new approaches to information rights practice, developing new ideas and innovative approaches to protecting people’s
We are also working to build stronger links with the wider cyber security community. We have just closed the first funding round for our new grants programme, which invites organisations to bid for funding to support independent, innovative data protection research and solutions. And we have announced our first post-doctoral research programme looking at the regulatory implications of AI.
Later this year we will launch our new regulatory “sandbox”, to help organisations develop innovative products and services in a safe space while benefitting from advice and support from the ICO to do so.
And, also in May, we launched our GDPR security outcomes, in partnership with the National Cyber Security Centre. These set out the technical measures which we consider to be appropriate security measures under the GDPR. They cover:
- Managing your security risk;
- protecting personal data against security attack;
- detecting security events, and
- minimising the impact of breaches when they occur.
Working with other organisations
We continue to work closely with partners in this area. With the other Competent Authorities in the regulatory sector both here and internationally sharing regulation of the NIS and GDPR. We will also align our communications and guidance where appropriate with the NCSC and NCA to provide better clarity of expectations and to protect the public and support organisations in the public and private sectors.
I know that there is sometimes concern about a working relationship between regulators like the ICO and law enforcement or the NCSC. It is a fine line we tread between our clear responsibilities. The NCSC are clearly not a regulator and do not share company information with us for regulatory use. Their support is however invaluable to our teams to understand the general cyber threat and they share our intent to protect and support UK citizens and industry. And we will try to co-ordinate during the initial phase of an incident to ensure multiple and varied requests of companies are properly co-ordinated.
As our regulatory action policy explains, where you engage proactively to protect customers and the public the ICO will take that into account both in the type of regulatory response and also the scale of any enforcement action. This includes consideration of any mitigation where you have reported voluntarily to the NCSC and engaged their advice.
As a regulator the ICO does not seek perfection even if to some it may feel like that. We seek evidence of senior management and board level insight and accountability. We seek evidence of systems that provide a robust level of protection and privacy. The small number of fines we issue always seem to get the headlines, but we close many thousands of incidents each year without financial penalty but with advice, guidance and reassurance. For every investigation which ends in a fine, we have many audits, advisory visits and guidance sessions. That is the real norm of the work we do.
And we will continue to work with other regulatory bodies, the DCMS, law enforcement and others in a way that we believe is unmatched around the world. Increasingly, we will look to draw out more detailed trends and themes from our work and share these with you and the public, so we can help everyone better protect themselves.
Last year we spent a lot of our time trying to bust some of the myths that arose around the new data protection regime. Two of the most persistent myths were that organisations would have to report every data breach involving personal information no matter how trivial, and, second, that we would be handing out enormous fines from the 25th May to a pre-determined list of companies.
Of course, neither of those are true. But now, with over three months of practice behind us, I can bring you our very first “ready reckoner” of breach reporting under the GDPR.
We have been receiving around 500 calls a week to our breach reporting line since 25th May, and roughly a third of these are from organisations who, after a discussion with our officers, decide that their breach doesn’t meet our reporting threshold.
Around one in five of reported breaches involve cyber incidents, of which nearly half are the result of phishing. Other than that, causes involve malware (10%), misconfiguration (8%) and ransomware (6%) amongst others.
The key trends we are finding from our reporting system include:
- Organisations are struggling with the concept of 72 hours as defined by the GDPR. Remember: it’s not 72 working hours, the clock starts ticking from the moment you become aware of the breach.
- Some reports are incomplete. Our guidance sets out very clearly what you should include when you report a breach. You might not have all that information to hand in the first 72 hours, we get that, but please plan ahead; have people with suitable seniority and clearance to talk to us and be ready to provide as much detail as you can and be able to tell us when we can expect the rest. It is not very helpful to be told there is a breach affecting lots of customers but the reporter isn’t authorised by the general counsel to tell us more than that! If you don’t assign adequate resources to managing the breach we may ask you why not.
- Some controllers are “over-reporting”: reporting a breach just to be transparent, because they want to manage their perceived risk or because they think that everything needs to be reported. We understand this will be an issue in the early months of a new system but we will be working with organisations to try and discourage this in future once we are all more familiar with the new threshold.
So our advice to you is:
- Read our reporting guidance – and please don’t wait for a breach to happen before you do.
- Take some time to gather information and make a decision about whether or not this is a breach that needs reporting. Again, refer to our guidance, particularly about the reporting threshold.
- Report by phone, particularly if you need advice about how to manage a breach or whether or not to tell your customers.
- Take extra steps to prevent cyber attacks: implement a multi-layered approach, such as two-factor authentication, email filters and anti-spoofing controls, together with enhanced staff training and awareness.
- Look at the NCSC / ICO security outcomes and double check against the advice there.
Moving on to monetary penalties: we have set out our approach to using our new powers under our Regulatory Action Policy, as required by Parliament and that is now back with them for approval. Unfortunately – or maybe fortunately – we have not issued any fines for breaches of the new regime to be able to share learning about our approach. Yet.
But there is one further myth in this area I am very happy to scotch: we are not a revenue generating organisation! I suspect that no-one in this room thinks this, but there are commentators out there who do.
So I will say this as plainly as can: any monetary penalties we levy go straight to the Treasury. We do not see them, and raising money has nothing to do with how we regulate or how we fund the office.
We have a significant range of enforcement and sanctioning powers – but our sole purpose in selecting and using them is to uphold individuals’ information rights in the digital age.
While our annual survey of the number of people who have trust and confidence in how companies use their personal information is up from one in five to one in three and that is encouraging, that is still not enough and the private sector lags behind the levels of confidence in the public sector – so there is a lot of work we can all do.
Time for some reassurance
We are, of course, currently living in volatile times, and I imagine that we will discuss some of those in the Q&A. But I would like to finish by dealing with a very real worry – that you will experience what Alex Cruz, Chief Executive of British Airways, described as “a sophisticated, malicious criminal attack” on your systems.
Whilst I cannot comment on the British Airways case today, I’m not going to deny that this is a real risk. But I would like to remind you about the ICO’s response if you are overpowered, and your sensitive data compromised by hackers.
If you take your responsibilities under the GDPR seriously, and have taken reasonable steps to protect that data in line with our security guidance, then we will recognise that . If you adopt privacy by design, treat cyber security as a boardroom issue, and demonstrate a robust culture with appropriate transparency, control and accountability for your and your customers data, then we will not usually have an issue with you should the worst happen.
If you make the right commitments to your customers – and work to keep them – then you have nothing to fear from an ICO inspection or investigation.
Why is this important? Well, there has been much commentary about higher level fines we have set for some large corporates in the past year.
There is however a common thread through these. It is that our investigations found that the organisations own controls and culture contributed to incident.
I am reassured that much in the following sessions today touches upon these areas
- poor board level awareness of the risk to the organisation,
- incomplete or missing corporate records including third party or inter-group contracts and policies,
- lapsed staff training,
- policies repeatedly not followed,
- understanding the DP risks of your supply chain or outsourced providers
- investment in security deferred,
- poor data governance (particularly in test or product development environments),
- staff work arounds compromising security systems because the agreed way of working is not the easiest way of working,
- and obvious misconfiguration of systems leaving them open to long-known vulnerabilities.
We have plenty of advice about these issue on our website. There is much more on the NCSC’s. But, if you take one thing away from my talk with you today it’s hopefully this: don’t underestimate the value of good data governance and the role of corporate internal controls when applied in safeguarding data assets. Too many boards are relying solely upon the word of their CTO. But is that fair? How many IT teams can reasonably be continually testing every potential gate when they think it’s been shut and there may be other parts of the firm building new gates elsewhere? You may be surprised how often we get one or more of the following:
- "We didn’t know we had data there."
- "We haven’t got a signed copy of that."
- "We didn’t know that was how that worked."
- "We didn’t get round to that check in years."
- "I know it says that but we haven’t worked that way for years."
- "Yeah, I had some training when I started, but its all changed hasn’t it."
A good data governance element to your internal audit or assurance process will keep you on your toes, and will help you keep your systems and behaviours up to date and resilient. If the worst happens, and we visit, at the very least you will have the records and explanations ready for us about how you have been trying to meet your commitments.
And we can’t ask for more than that. Thank you.